🔒 Add Warning for Untrusted `delegatecall`s #14

pcaversaccio · 2025-02-25T14:17:41Z

🕓 Changelog

This PR adds a warning for the user if the transaction includes an untrusted delegate call (i.e. operation equals 1). The set of trusted delegatecallable contract addresses is defined by:

# Set the trusted (i.e. for delegate calls) contract addresses.
# See: https://github.com/safe-global/safe-transaction-service/blob/c3b42f0bebff74b99fcdd958aee54b149e27eca5/safe_transaction_service/contracts/management/commands/setup_safe_contracts.py#L10-L16.
declare -A -r TRUSTED_FOR_DELEGATE_CALL=(
    ["MultiSend"]="${MultiSend[@]}"
    ["MultiSendCallOnly"]="${MultiSendCallOnly[@]}"
    ["SafeMigration"]="${SafeMigration[@]}"
    ["SafeToL2Migration"]="${SafeToL2Migration[@]}"
    ["SignMessageLib"]="${SignMessageLib[@]}"
)

where

# Set the trusted (i.e. for delegate calls) `MultiSend` addresses:
# MultiSend `v1.1.1` (canonical): https://github.com/safe-global/safe-deployments/blob/4e25b09f62a4acec92b4ebe6b8ae496b3852d440/src/assets/v1.1.1/multi_send.json#L7,
# MultiSend `v1.3.0` (canonical): https://github.com/safe-global/safe-deployments/blob/4e25b09f62a4acec92b4ebe6b8ae496b3852d440/src/assets/v1.3.0/multi_send.json#L7,
# MultiSend `v1.3.0` (eip155): https://github.com/safe-global/safe-deployments/blob/4e25b09f62a4acec92b4ebe6b8ae496b3852d440/src/assets/v1.3.0/multi_send.json#L11,
# MultiSend `v1.3.0` (zksync): https://github.com/safe-global/safe-deployments/blob/4e25b09f62a4acec92b4ebe6b8ae496b3852d440/src/assets/v1.3.0/multi_send.json#L15,
# Multisend `v1.4.1` (canonical): https://github.com/safe-global/safe-deployments/blob/4e25b09f62a4acec92b4ebe6b8ae496b3852d440/src/assets/v1.4.1/multi_send.json#L7.
declare -a -r MultiSend=(
    "0x8D29bE29923b68abfDD21e541b9374737B49cdAD" # MultiSend `v1.1.1` (canonical).
    "0xA238CBeb142c10Ef7Ad8442C6D1f9E89e07e7761" # MultiSend `v1.3.0` (canonical).
    "0x998739BFdAAdde7C933B942a68053933098f9EDa" # MultiSend `v1.3.0` (eip155).
    "0x0dFcccB95225ffB03c6FBB2559B530C2B7C8A912" # MultiSend `v1.3.0` (zksync).
    "0x38869bf66a61cF6bDB996A6aE40D5853Fd43B526" # MultiSend `v1.4.1` (canonical).
)

# Set the trusted (i.e. for delegate calls) `MultiSendCallOnly` addresses:
# MultiSendCallOnly `v1.3.0` (canonical): https://github.com/safe-global/safe-deployments/blob/4e25b09f62a4acec92b4ebe6b8ae496b3852d440/src/assets/v1.3.0/multi_send_call_only.json#L7,
# MultiSendCallOnly `v1.3.0` (eip155): https://github.com/safe-global/safe-deployments/blob/4e25b09f62a4acec92b4ebe6b8ae496b3852d440/src/assets/v1.3.0/multi_send_call_only.json#L11,
# MultiSendCallOnly `v1.3.0` (zksync): https://github.com/safe-global/safe-deployments/blob/4e25b09f62a4acec92b4ebe6b8ae496b3852d440/src/assets/v1.3.0/multi_send_call_only.json#L15,
# MultiSendCallOnly `v1.4.1` (canonical): https://github.com/safe-global/safe-deployments/blob/4e25b09f62a4acec92b4ebe6b8ae496b3852d440/src/assets/v1.4.1/multi_send_call_only.json#L7.
declare -a -r MultiSendCallOnly=(
    "0x40A2aCCbd92BCA938b02010E17A5b8929b49130D" # MultiSendCallOnly `v1.3.0` (canonical).
    "0xA1dabEF33b3B82c7814B6D82A79e50F4AC44102B" # MultiSendCallOnly `v1.3.0` (eip155).
    "0xf220D3b4DFb23C4ade8C88E526C1353AbAcbC38F" # MultiSendCallOnly `v1.3.0` (zksync).
    "0x9641d764fc13c8B624c04430C7356C1C7C8102e2" # MultiSendCallOnly `v1.4.1` (canonical).
)

# Set the trusted (i.e. for delegate calls) `SafeMigration` addresses:
# SafeMigration `v1.4.1` (canonical): https://github.com/safe-global/safe-deployments/blob/4e25b09f62a4acec92b4ebe6b8ae496b3852d440/src/assets/v1.4.1/safe_migration.json#L7.
declare -a -r SafeMigration=(
    "0x526643F69b81B008F46d95CD5ced5eC0edFFDaC6" # SafeMigration `v1.4.1` (canonical).
)

# Set the trusted (i.e. for delegate calls) `SafeToL2Migration` addresses:
# SafeToL2Migration `v1.4.1` (canonical): https://github.com/safe-global/safe-deployments/blob/4e25b09f62a4acec92b4ebe6b8ae496b3852d440/src/assets/v1.4.1/safe_to_l2_migration.json#L7.
declare -a -r SafeToL2Migration=(
    "0xfF83F6335d8930cBad1c0D439A841f01888D9f69" # SafeToL2Migration `v1.4.1` (canonical).
)

# Set the trusted (i.e. for delegate calls) `SignMessageLib` addresses:
# SignMessageLib `v1.3.0` (canonical): https://github.com/safe-global/safe-deployments/blob/4e25b09f62a4acec92b4ebe6b8ae496b3852d440/src/assets/v1.3.0/sign_message_lib.json#L7,
# SignMessageLib `v1.3.0` (eip155): https://github.com/safe-global/safe-deployments/blob/4e25b09f62a4acec92b4ebe6b8ae496b3852d440/src/assets/v1.3.0/sign_message_lib.json#L11,
# SignMessageLib `v1.3.0` (zksync): https://github.com/safe-global/safe-deployments/blob/4e25b09f62a4acec92b4ebe6b8ae496b3852d440/src/assets/v1.3.0/sign_message_lib.json#L15,
# SignMessageLib `v1.4.1` (canonical): https://github.com/safe-global/safe-deployments/blob/4e25b09f62a4acec92b4ebe6b8ae496b3852d440/src/assets/v1.4.1/sign_message_lib.json#L7.
declare -a -r SignMessageLib=(
    "0xA65387F16B013cf2Af4605Ad8aA5ec25a2cbA3a2" # SignMessageLib `v1.3.0` (canonical).
    "0x98FFBBF51bb33A056B08ddf711f289936AafF717" # SignMessageLib `v1.3.0` (eip155).
    "0x357147caf9C0cCa67DfA0CF5369318d8193c8407" # SignMessageLib `v1.3.0` (zksync).
    "0xd53cd0aB83D845Ac265BE939c57F53AD838012c9" # SignMessageLib `v1.4.1` (canonical).
)

This PR also fixes the chain ID for X Layer, which is 196 and not 195. We also update the reference to the user interface, as OpenZeppelin has now published it here: safeutils.openzeppelin.com. Lastly, we update the brand name of BNB Smart Chain and OP (Optimism).

Signed-off-by: Pascal Marco Caversaccio <[email protected]>

🔒 Add Warning for delegatecalls

48189cb

Signed-off-by: Pascal Marco Caversaccio <[email protected]>

pcaversaccio self-assigned this Feb 25, 2025

pcaversaccio added the feature 💥 New feature or request label Feb 25, 2025

pcaversaccio added 2 commits February 25, 2025 18:47

🔒 Add Trusted Functions

960feab

Signed-off-by: Pascal Marco Caversaccio <[email protected]>

🔒 Add SafeToL2Setup

11ab72b

Signed-off-by: Pascal Marco Caversaccio <[email protected]>

pcaversaccio changed the title ~~🔒 Add Warning for delegatecalls~~ 🔒 Add Warning for Untrusted delegatecalls Feb 26, 2025

pcaversaccio changed the title ~~🔒 Add Warning for Untrusted delegatecalls~~ 🔒 Add Warning for Untrusted delegatecalls Feb 26, 2025

pcaversaccio added the documentation 📖 Improvements or additions to documentation label Feb 26, 2025

pcaversaccio added 3 commits February 26, 2025 20:42

♻️ Fix X Layer Chain ID

3a6f434

Signed-off-by: Pascal Marco Caversaccio <[email protected]>

♻️ Update UI Link

edfa2af

Signed-off-by: Pascal Marco Caversaccio <[email protected]>

📖 Update Branding Name for BSC and OP

31b6ac2

Signed-off-by: Pascal Marco Caversaccio <[email protected]>

pcaversaccio mentioned this pull request Mar 5, 2025

Add Secure Multisig Signing Process security-alliance/frameworks#122

Open

pcaversaccio added 2 commits March 5, 2025 18:50

♻️ Remove SafeToL2Setup From List

e639f9d

Signed-off-by: Pascal Marco Caversaccio <[email protected]>

♻️ Add Missing Parameter

b7f17b9

Signed-off-by: Pascal Marco Caversaccio <[email protected]>

pcaversaccio merged commit 761b4fa into main Mar 5, 2025
4 of 6 checks passed

pcaversaccio deleted the feat/add-delegatecall-check branch March 5, 2025 18:03

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

🔒 Add Warning for Untrusted `delegatecall`s #14

🔒 Add Warning for Untrusted `delegatecall`s #14

pcaversaccio commented Feb 25, 2025 •

edited

Loading

🔒 Add Warning for Untrusted delegatecalls #14

🔒 Add Warning for Untrusted delegatecalls #14

Conversation

pcaversaccio commented Feb 25, 2025 • edited Loading

🕓 Changelog

🔒 Add Warning for Untrusted `delegatecall`s #14

🔒 Add Warning for Untrusted `delegatecall`s #14

pcaversaccio commented Feb 25, 2025 •

edited

Loading